Introduction

This article explains how to configure a guest network, guest portal, and hotspot system if desired. It is important to note the differences between these three.

Guest Networks exist independently from the Guest Portal and/or Hotspot System , which are built-in tools for guest authentication, authorization & accounting. A user on a guest network will face different access restrictions from those faced by the trusted, “corporate” users on default UniFi networks. An administrator can create a guest network, but not enable the guest portal for authentication, or the hotspot, which is a guest management system for free or paid use of the network. On the other hand, to use a guest portal or hotspot system, a guest network must be enabled and configured. This article will explain how to enable all three.

Guest user traffic, by default, receives a few important restrictions, including:

Other restrictions include Pre & Post-Authorization Access to RFC 1918 Private LAN IP Ranges, as configured, under the Guest Control Settings tab.

Client Isolation, which means, Local traffic, such as layer-2 broadcasts, or unicast messages between Guests on the same local, is blocked. By default, this means that guest traffic is only intended to pass upstream or downstream, such as for internet use.

NOTE:

In order for the Guest Portal to function, the UniFi Controller itself must be running at all times. Guests are redirected to the Controller to reach the guest portal, and the redirection will not be successful if the controller is not accessible. See our Related Article on SELFRUN for options.

How to Create a UniFi Guest Network

Provide a name. This is what users will see when attempting to connect to your Wi-Fi network.

Select the method to be used to authenticate the guest network. A security key may be used, while also leveraging the Guest Portal, or you can leave it Open .

To make this new network a Guest Network, check the box "Apply guest policies…"

Make sure the checkbox for Enable this wireless network is checked. If at some point you wish to disable this network without deleting it, this is where that could be accomplished as well. Click Save .

At this point, the administrator has a working guest network, but more settings can be configured. The next section will explain how to set some guest control and create the guest portal, which is what the network guest users will see when they attempt to access the network.

How to Configure Guest Control and Guest Portal

In the UniFi Controller, the Guest Control section is where administrators configure the custom guest portal and define what subnets they should and should not be able to access before and after authorization.

To Configure Guest Control:

Open the UniFi Controller to Settings > Guest Control .

Under Access Control , you can restrict and give access to hostnames or subnets as follows:

To Configure the Guest Portal:

In order to require guests to interact with the guest portal, check the box for Enable Guest Portal . Doing so will open additional options including the authentication method associated with the Guest Portal, Expiration Term, etc.

ATTENTION: In order for the Guest Portal’s Redirection:Use Secure Portal option to function you will need to buy or generate an SSL certificate for the UniFi Controller.

User Tip: Customize your portal as little or as much as you want. For the background image, jpg format is recommended. An image of about 920px wide and 640px high is recommended. For the logo image, PNG format and 400px width and height are recommended.

As explained in step 2, the Access Control settings will define subnets necessary for devices to be able to access before and after authorization. An example of a case in which Pre-Authorization Access can be useful is ensuring that devices can access the guest portal before being Authorized—to do this, simply define the subnet that contains the guest portal IP address. Similarly, if there is a subnet on the internal network you do not wish to allow your guests access to after connecting, you can use the Post-Authorization Restrictions to define these.

When troubleshooting cases where users report not being able to access the guest portal, the most common cause seen is not having the Access Control properly configured.

UniFi Hotspot System

Intended as a separate guest management platform, the UniFi Hotspot System comes freely integrated into the UniFi Controller software. UniFi Controller admins and hotspot operators can access the Hotspot System via the GO TO HOTSPOT MANAGER link in Settings > Guest Control > Hotspot section. Users will be redirected to another area of the UniFi Controller for hotspot management exclusively.

How to Limit Guest Bandwidth

Another useful feature in the UniFi Controller is the ability to limit bandwidth allocation to different user groups. This may be important to ensure guests do not limit the productivity and speed available to permanent users/critical applications. To limit guest bandwidth follow the steps below:

LAN-Wide Client Isolation

Once the guest network is set up on the WLAN (AP) side—it is necessary to make sure the LAN has sufficient isolation, while also allowing common services which may be required (printers, servers, etc.).

In addition to providing the desired client isolation, LAN-side controls on client isolation reduce/eliminate unnecessary broadcast/multicast data, which if left unchecked will have an adverse impact on installation with around 10 or more WLAN APs (see here for details).

The diagram below shows a generalized layout for network-wide (WLAN and LAN) client isolation, while still allowing network-wide core services.

Related Articles

At Liquid Layer Web Hosting [LiquidLayer.net], we’ve made a shared web hosting platform that’s both feature-rich and easy to make use of. Our programmers have built up a custom Linux cloud web hosting platform plus an innovative Control Panel that perfectly takes advantage of its capabilities. After long hours of programming and bug fixing on our end, we are now capable to guarantee that all of our shared web hosting services are safe, virus-free, full of capabilities and very easy-to-work-with. In addition, they feature 99.9% server uptime as well as 99.9% network uptime warranties.